fix: add useEmailAzp claim for id token iam flow (#1270)

googleapis · Apr 10, 2023 · 7a9c6f2 · 7a9c6f2
1 parent 976c7a6
commit 7a9c6f2
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 4 deletions.
diff --git a/google/oauth2/_client.py b/google/oauth2/_client.py
@@ -331,7 +331,7 @@ def call_iam_generate_id_token_endpoint(request, signer_email, audience, access_
     Returns:
         Tuple[str, datetime]: The ID token and expiration.
     """
-    body = {"audience": audience, "includeEmail": "true"}
+    body = {"audience": audience, "includeEmail": "true", "useEmailAzp": "true"}
 
     response_data = _token_endpoint_request(
         request,

diff --git a/google/oauth2/service_account.py b/google/oauth2/service_account.py
@@ -743,10 +743,9 @@ def _refresh_with_iam_endpoint(self, request):
         request to IAM generateIdToken endpoint. The request body is:
             {
                 "audience": self._target_audience,
-                "includeEmail": "true"
+                "includeEmail": "true",
+                "useEmailAzp": "true",
             }
-        TODO: add "set_azp_to_email": "true" once it's ready from server side.
-        https://github.com/googleapis/google-auth-library-python/issues/1263
 
         If the request is succesfully, it will return {"token":"the ID token"},
         and we can extract the ID token and compute its expiry.

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
diff --git a/tests/oauth2/test__client.py b/tests/oauth2/test__client.py
@@ -326,6 +326,7 @@ def test_call_iam_generate_id_token_endpoint():
     response_body = json.loads(request.call_args[1]["body"])
     assert response_body["audience"] == "fake_audience"
     assert response_body["includeEmail"] == "true"
+    assert response_body["useEmailAzp"] == "true"
 
     # Check result
     assert token == id_token